My Node.js backend already has 2FA

Pieter_16800 · June 16, 2021, 10:03am

Why would authentication at MongoDB be needed if my Node.js backend already has 2FA installed?

SourabhBagrecha · June 16, 2021, 11:15am

Hi @Pieter_16800, can you please provide more details regarding your doubt?
I am assuming by “2FA installed” you mean that you are handling authentication(like Login/Signup) of your app/website users in your backend using 2FA, but please let me know if I am missing something here.

The reason why you would still be needing authentication at the MongoDB side is to protect your MongoDB deployment from unwanted access from anywhere else.

Also, suppose your analytics team wants to use the data stored in MongoDB and they want to perform some read operations(like aggregation queries) to gain insights about the product performance, etc, usually in these cases, to avoid the risk of accidental deletion/modification of the existing data you would create a database user with the appropriate read permissions & selected collections on which they want to perform the analytics.

Hence, authentication at MongoDB is really important, even if you are implementing 2FA for your users in the backend.

In case you have any doubts, please feel free to reach out to us.

Thanks and Regards.
Sourabh Bagrecha,
Curriculum Services Engineer

Pieter_16800 · June 16, 2021, 1:21pm

Hi Sourabh, thanks for your input. And yes, I mean “2FA implemented”, sorry for using sloppy English. I have build a subsription service for cookbook recipes with Nextjs frontend at Vercell using a Sanity backend (Reactjs) for the recipe and news data and a Nodejs backend (using MongoDB) at Heroku for the user profiles. In Sanity Studio food editors can edit recipes and news items. In MongoDB users can store recipes, create there own recipes, send emails with recipe details, create a shopping list. These users first need to create a user account to be authorised for these activities. The implementation of 2FA involves Nodemailer, Sendgrid and JasonWebTokens. You can try for yourself at https://hetkookt.vercel.app/:-) This project is a Proof Of Concept, so no team is involved, just yet. But I sure want to know why this is not safe. Thanks, Pieter Roozen

SourabhBagrecha · June 16, 2021, 2:31pm

Hi @Pieter_16800, that’s awesome, MERN stack is my favorite, and I use it in almost all of my full stack projects, and Next.js & Vercel are my go-to choices for SSR(server-side rendering).

Having said that, even if you are the only person working on the project, I would still recommend you to implement authorization on your MongoDB server.

Also, it may happen that you are leveraging authorization in MongoDB without even knowing it, for e.g.: when you are connecting your Node.js server with your MongoDB deployment, you might be connecting them through a Connection-String, which in fact asks you to add the username & password of the database user that you have created.

A typical connection-string would look something like this:

mongodb://[username:password@]host1[:port1][,…hostN[:portN]][/[defaultauthdb][?options]]

So having a good knowledge of how authorization/authentication works in MongoDB will give you a better understanding of how things work behind the scene and how you can better secure them.

I hope it helps.
In case you have any doubts, please feel free to reach out to us.

Thanks & Regards.
Sourabh Bagrecha,
Curriculum Services Engineer

Pieter_16800 · June 16, 2021, 7:01pm

Yes, connecting with a “connection-string” is exactly how I grant access in my case to Heroku, so that is safe, right? What would this whole authentication thing at the same time do any extra? Does it give access to users on developer level to a specific database, or what? Thanks, Pieter

SourabhBagrecha · June 17, 2021, 7:49am

Hi @Pieter_16800, yes that’s safe, but just make sure that you are only providing the permissions that are necessary to do the job(running the server).

There’s a lot more than just the connection string that MongoDB provides, you’ll learn a lot about then in this course: Authentication & Authorization.

For e.g., running a single MongoDB instance is not ideal in production, you usually replicate your data among different instances in a single replica-set.
Also, when your app grows to a point where running a single replica-set to store all your data, then you might want to shard your very giant collections into multiple replica-sets.

In cases like these you need a mechanism to internally authenticate different MongoDB instances among each other for communication and data transfer purposes. Hence, concepts like Internal/Membership Authentication helps you in achieving that.

There are a lot of things to learn about Security that MongoDB provides out-of-the-box, such as authentication, access control, encryption, to secure your MongoDB deployments. Learn more.

I hope it helps.

In case you have any doubts, please feel free to reach out to us.

Thanks and Regards.
Sourabh Bagrecha,
Curriculum Services Engineer

Pieter_16800 · June 17, 2021, 9:08am

Thank you for your detailed answer. I fully understand now! Cheers, Pieter

system · June 22, 2021, 9:09am

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.